Andrew Otto created FLINK-32041:
-----------------------------------
Summary: flink-kubernetes-operator RoleBinding for Leases not
created in correct namespace when using watchedNamespaces
Key: FLINK-32041
URL: https://issues.apache.org/jira/browse/FLINK-32041
Project: Flink
Issue Type: Bug
Components: Kubernetes Operator
Affects Versions: kubernetes-operator-1.4.0
Reporter: Andrew Otto
When enabling [HA for
flink-kubernetes-operator|https://nightlies.apache.org/flink/flink-kubernetes-operator-docs-main/docs/operations/configuration/#leader-election-and-high-availability]
a RBAC rules must be created to allow the flink-operator to manage k8s Lease
resources. When not using watchNamespaces, the RBAC rules are created at the
k8s cluster level scope, giving the flink-operator ServiceAccount the ability
to manage all needed k8s resources for all namespaces.
However, when using watchNamespaces, RBAC rules are only created in the
watchNamepaces. For most rules, this is correct, as the operator needs to
manage resources like Flink pods and deployments in the watchNamespaces.
However, For flink-kubernetes-operator HA, the Lease resource is managed in the
same namespace in which the operator is deployed.
The Helm chart should be fixed so that the proper RBAC rules for Leases are
created to allow the operator's ServiceAccount in the operator's namespace.
Mailing list discussion
[here.|https://lists.apache.org/thread/yq89jm0szkcodfocm5x7vqnqdmh0h1l0]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
